Create Interactive Tour

Windows Analysis Report
wsl-gvproxy.exe

Overview

General Information

Sample Name:	wsl-gvproxy.exe
Analysis ID:	781501
MD5:	0f9947ddab6bf8d7a6b350ec8395985e
SHA1:	9548a4ec9b2aa36c1c37637137f6abddb57fd111
SHA256:	e9ca88be09c6d5abdafd569f470bce9a1bf15753566a05fe070f54c8240c12c5
Infos:

Detection

Score:	2
Range:	0 - 100
Whitelisted:	false
Confidence:	80%

Signatures

PE file contains more sections than normal

Potential time zone aware malware

Program does not show much activity (idle)

PE file contains sections with non-standard names

Classification

Process Tree

System is w10x64

wsl-gvproxy.exe (PID: 4536 cmdline: "C:\Users\user\Desktop\wsl-gvproxy.exe" -install MD5: 0F9947DDAB6BF8D7A6B350EC8395985E)

wsl-gvproxy.exe (PID: 2228 cmdline: "C:\Users\user\Desktop\wsl-gvproxy.exe" /install MD5: 0F9947DDAB6BF8D7A6B350EC8395985E)

wsl-gvproxy.exe (PID: 2148 cmdline: "C:\Users\user\Desktop\wsl-gvproxy.exe" /load MD5: 0F9947DDAB6BF8D7A6B350EC8395985E)

cleanup

Joe Sandbox Signatures

• Compliance
• System Summary
• Data Obfuscation
• Hooking and other Techniques for Hiding and Protection
• Malware Analysis System Evasion
• Anti Debugging

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: wsl-gvproxy.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: wsl-gvproxy.exe

Static PE information: Number of sections : 13 > 10

Source: wsl-gvproxy.exe	Static PE information: Section: /19 ZLIB complexity 0.9986632986706689
Source: wsl-gvproxy.exe	Static PE information: Section: /32 ZLIB complexity 0.9926382211538461
Source: wsl-gvproxy.exe	Static PE information: Section: /65 ZLIB complexity 0.9985654182370184
Source: wsl-gvproxy.exe	Static PE information: Section: /78 ZLIB complexity 0.9889807084837545

Source: wsl-gvproxy.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\wsl-gvproxy.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: wsl-gvproxy.exe	String found in binary or memory: entersyscallentrust-aaasentrust-aamsentrust-kmshexasoftport1ezmessagesrvfacilityviewfaxstfx-portfcopy-serverfcp-cics-gw1ferrari-foamfg-sysupdatefinalizeOncefjappmgrbulkfjippol-cnslfjitsuappmgrfont-serviceforesyte-secfujitsu-neatfunk-dialoutfunk-licensegalaxy7-datagcBitsArenasgcpacertracegenisar-portgeognosismangetaddrinfowglobal-wlinkglobecast-idgnutella-rtrgnutella-svcgre-udp-dtlsgridgen-elmdgw-call-porth323gatedisch323gatestath323hostcallhacl-monitorharddecommithfcs-managerhhb-handheldhiperscan-idhmac-sha1-96hmac-sha256.host is downhp-alarm-mgrhp-collectorhpvmmcontrolhttp2debug=1http2debug=2hub-open-nethypercube-lmias-neighboriatp-highpriibm-dial-outibm-mqseriesibridge-dataibridge-mgmtice-locationicl-twobase1icl-twobase2icl-twobase3icl-twobase4icl-twobase5icl-twobase6icl-twobase7icl-twobase8icl-twobase9icmpv6Filterieee-mms-sslifsf-hb-portillegal seekimoguia-portinfo requestintel-rci-mpinterintelliintrepid-sslinvalid argsinvalid baseinvalid portinvalid slotinvalid typeio-dist-dataip-provisionipcs-commandiphlpapi.dllipv6HopLimitiscsi-targetiss-mgmt-sslitu-bicc-stciuhsctpassocivs-databasejaxflow-datajeol-nsddp-1jeol-nsddp-2jeol-nsddp-3jeol-nsddp-4jeol-nsdtp-1jeol-nsdtp-2jeol-nsdtp-3jeol-nsdtp-4jetcmeserverjmq-daemon-1jmq-daemon-2kentrox-protkerberos-admkernel32.dllkexDHInitMsgkey exchangelanmessengerlanrevserverlbc-watchdoglfstack.pushlibelle-disclisp-controllistcrt-portlistmgr-portlm-perfworkslogrus_errorlontalk-normmadvdontneedmagiccontrolmanyone-httpmatip-type-amatip-type-bmax-forwardsmaxMonotonicmc-appservermcns-tel-retmcs-fastmailmctet-mastermercury-discmetatude-mdsmgcp-gatewaymheapSpecialmicrocom-sbpmicromuse-lmmicrosoft-dsmillisecondsmindarray-camnp-exchangemobrien-chatmortgagewaremppolicy-mgrms-licensingms-streamingmsfw-controlmsfw-replicamsfw-storagemspanSpecialmtcevrunqmanmti-tcs-commmulticastTTLmvs-capacitymyq-termlinknas-meteringnav-data-cmdncacn-ip-tcpncadg-ip-udpncdmirroringnec-raidplusnetapi32.dllnetbill-authnetbill-crednetbill-prodnetconf-beepnetdb-exportnetiq-qchecknetop-schoolnetspeak-acdnetspeak-cpsnettgain-nmsnetworklenssnetxms-agentneverofflinenewlixconfignewlixenginenexus-portalnicetec-mgmtnim-vdrshellnimbusdbctrlnimrod-agentno such fileno such hostnod-providernot pollablenovar-globalnovell-lu6-2npds-trackernssocketportnucleus-sandoceansoft-lmoemcacao-rmioffice-toolsomabcastltkmonehome-helpoob-ws-httpsopalis-robotopennl-voiceopenstack-idopsmessagingorbix-configorbplus-iioporigo-nativeosmosis-aeeaovrimosdbmanovsessionmgrp-net-remotep2pcommunitypassword-chgpatrol-mq-gmpatrol-mq-nmpay-per-viewpcsync-httpspictrographypkix-3-ca-raplaysta2-appplaysta2-lobplysrv-httpspmsm-webrctlpn-requesterpolicyserverpowergemplusppactivationprecise-commprism-deployprofinet-rtmprosharedatapt2-discoverqb-db-serverqsnet-assistqsnet-workstraceFiniLockrdb-dbs-dispreadShutdownrecentTSTimeredwood-chatreflect.Copyreleasep: m=remotedeployresource-mgrretransmitTSrjcdb-vcardsrobot-remoterpki-rtr-tlsrsa-sha2-256rsa-sha2-512rsisysaccessrsvp-encap-1rsvp-encap-2
Source: wsl-gvproxy.exe	String found in binary or memory: .WithDeadline(169.254.0.0/161907348632812520060102150405802.1P VLAN ID95367431640625: extra text: <not Stringer>ANINetworkNameAccept-CharsetAccess-RequestAcct-AuthenticAuthenticationAuto-ConfigureBad TruncationBoot File SizeCHAP-ChallengeCLICOLOR_FORCECertCloseStoreChallenge textChecksumErrorsCiscoDiscoveryClosedReceiverCluster ReportCoInitializeExCoUninitializeCodeEDNSKeyTagContent-LengthControlServiceCounter SampleCreateEventExWCreateMutexExWCreateProcessWCreateServiceWCryptGenRandomDNSKEY MissingDSA-NSEC3-SHA1Dkim-SignatureDot11CtrlCFEndDot11DataCFAckERSPAN Type IIExtensionsPathFMS DescriptorFastRetransmitFindFirstFileWFormatMessageWFramed-RoutingGC assist waitGC worker initGET_DESCRIPTORGetConsoleModeGetProcAddressGetShellWindowGetTickCount64GetUserNameExWHostPrecedenceICMPv6RedirectIEEE 1394.1995INTERNAL_ERRORIPv6PacketInfoImpress ServerInputInterfaceInstEmptyWidthInterface NameIsWellKnownSidIsWow64ProcessLiebDevMgmt-DMListening on: LoadLibraryExWLogin-LAT-NodeLogin-LAT-PortLogin-TCP-PortMAX_FRAME_SIZEMB; allocated MakeAbsoluteSDMalformedQueryManagement MICMaxPayloadSizeMoSIPv6AddressModule32FirstWMultiple BSSIDNAS-IP-AddressNAS-IdentifierNeighborState(NetUserGetInfoNot AcceptableOVSDP CountersOpenSCManagerWOther_ID_StartPPPoEDiscoveryPROTOCOL_ERRORPS-Capture-ProPassword-RetryPattern_SyntaxPendingBufUsedPort ComponentPowerAlert-nsaProcess32NextWProtocol HelloQOS CapabilityQuery End TimeQuotation_MarkRCodeNameErrorRDNSSSelectionREFUSED_STREAMREQUEST_METHODRIC DescriptorRRSIGs MissingRTTMeasureTimeReceivedBlocksRegSetValueExWSCTPCookieEchoSCTPEmptyLayerSET_DESCRIPTORSet the subnetSetConsoleModeSetFilePointerSetThreadTokenSignal QualitySizeofResourceSourceIsolatedSpare Pair POEStandard SFlowTCPRcvBufStateTCPSenderStateTCPSndBufStateTimestampReplyTranslateNameWUSB < 40 bytesUnknown methodUnknown reasonUnknownPPPTypeVerQueryValueWVirtualProtectVirtualQueryExWNM-Sleep Mode[%s %p] %s:
Source: wsl-gvproxy.exe	String found in binary or memory: 0123456789ABCDEFX0123456789abcdefx060102150405Z070011920928955078125596046447753906255a:94:ef:e4:0c:dd5a:94:ef:e4:0c:ee: missing method AES-HMAC-SHA1-128ALLOW_NEW_SOURCESAP Channel ReportARP Cache TimeoutAcct-Input-OctetsAcct-Session-TimeAdjustTokenGroupsAgere ProprietaryAntenna Sector IDBLOCK_OLD_SOURCESBayStack EthernetBroadcast AddressCDP TLV < 4 bytesCOMPRESSION_ERRORCalled-Station-IdCertFindExtensionChassis ComponentCiena CorporationClient identifierCryptDecodeObjectCtrlPowersavePollDHCP Message TypeDataQOSDataCFPollDiagnostic ReportDnsRecordListFreeDot11CtrlBlockAckDot11CtrlCFEndAckDot11MgmtProbeReqEFI RISC-V 32-bitEFI RISC-V 64-bitEFI Sunway 32-bitEFI Sunway 64-bitENHANCE_YOUR_CALMERP Information-2ETHERNET-ISO88023Ethernet and FDDIExcessiveTimeSkewExtended BSS LoadExtended ScheduleFLE Standard TimeFailed DependencyFramed-IP-AddressFramed-IP-NetmaskGC assist markingGET_CONFIGURATIONGMT Standard TimeGTB Standard TimeGate AnnouncementGetCurrentProcessGetShortPathNameWHEADER_TABLE_SIZEHTTP_1_1_REQUIREDHasIPv6PacketInfoIPv4Option(%v:%v)ISO88024-TOKENBUSIf-Modified-SinceIntel Lean ClientInvalid level: %dIsForwardedPacketIsTokenRestrictedKerberosRealmNameLeasequeryRelayIDLink State UpdateLogin-LAT-ServiceLookupAccountSidWMoSDomainNameListMoved PermanentlyNetBiosOverTCPDDSNetworkPacketInfoNo AuthenticationNot AuthoritativeOPTera Metro 3500Old_North_ArabianOld_South_ArabianOther_ID_ContinuePacketTooBigCountPower consumptionQBSS Load ElementQueryWorkingSetExReadProcessMemoryReconfigureAcceptRegLoadMUIStringWRemoteLinkAddressRoot AnnouncementS46PortParametersSACKScoreboard: {SET_CONFIGURATIONSLP Service ScopeSentence_TerminalServer IdentifierSignature ExpiredStreetTalk ServerSubnet AllocationSystemFunction036TXOP doze allowedToo Many RequestsTransfer-EncodingTunnel-PreferenceUnified_IdeographUnknownIPProtocolWSAEnumProtocolsWWTSQueryUserTokenWantZeroRcvWindowWiegand Interface
Source: wsl-gvproxy.exe	String found in binary or memory: /go/pkg/mod/gvisor.dev/gvisor@v0.0.0-20220908032458-edc830a43ba6/pkg/state/addr_set.go
Source: wsl-gvproxy.exe	String found in binary or memory: /go/pkg/mod/gvisor.dev/gvisor@v0.0.0-20220908032458-edc830a43ba6/pkg/tcpip/stack/addressable_endpoint_state.go

Source: classification engine

Classification label: clean2.winEXE@3/0@0/0

Source: unknown	Process created: C:\Users\user\Desktop\wsl-gvproxy.exe "C:\Users\user\Desktop\wsl-gvproxy.exe" -install
Source: unknown	Process created: C:\Users\user\Desktop\wsl-gvproxy.exe "C:\Users\user\Desktop\wsl-gvproxy.exe" /install
Source: unknown	Process created: C:\Users\user\Desktop\wsl-gvproxy.exe "C:\Users\user\Desktop\wsl-gvproxy.exe" /load

Source: wsl-gvproxy.exe

Static file information: File size 12012032 > 1048576

Source: wsl-gvproxy.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: wsl-gvproxy.exe	Static PE information: Raw size of .text is bigger than: 0x100000 < 0x367400
Source: wsl-gvproxy.exe	Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0x43ec00
Source: wsl-gvproxy.exe	Static PE information: Raw size of /65 is bigger than: 0x100000 < 0x12a800

Source: wsl-gvproxy.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: wsl-gvproxy.exe	Static PE information: section name: /4
Source: wsl-gvproxy.exe	Static PE information: section name: /19
Source: wsl-gvproxy.exe	Static PE information: section name: /32
Source: wsl-gvproxy.exe	Static PE information: section name: /46
Source: wsl-gvproxy.exe	Static PE information: section name: /65
Source: wsl-gvproxy.exe	Static PE information: section name: /78
Source: wsl-gvproxy.exe	Static PE information: section name: /90
Source: wsl-gvproxy.exe	Static PE information: section name: .symtab

Source: C:\Users\user\Desktop\wsl-gvproxy.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wsl-gvproxy.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wsl-gvproxy.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wsl-gvproxy.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wsl-gvproxy.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wsl-gvproxy.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\wsl-gvproxy.exe	System information queried: CurrentTimeZoneInformation			Jump to behavior
Source: C:\Users\user\Desktop\wsl-gvproxy.exe	System information queried: CurrentTimeZoneInformation			Jump to behavior

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: wsl-gvproxy.exe	Binary or memory string: github.com/containers/gvisor-tap-vsock/pkg/tap.(*qemuProtocol).Stream
Source: wsl-gvproxy.exe	Binary or memory string: github.com/containers/gvisor-tap-vsock/pkg/tap.(*qemuProtocol).Write
Source: wsl-gvproxy.exe	Binary or memory string: traceroutetransPrototreehoppertrim-eventtriomotionttntspautotupleEntryudrawgraphunicontrolunifyadminunixpacketunknown pcunknown_caupnotifypsups-engineuser-agentuser32.dllva-pacbasevacdsm-appvacdsm-swsvalisys-lmvaradero-0varadero-1varadero-2vergencecmvideobeansvipera-sslvirprot-lmvisweathervmware-fdmvnwk-prapivoxelstormvrcommercevsnm-agentwap-vcal-swbem-httpswcr-remlibwebemshttpwebmachinewebobjectswhosockamiwimaxasncpwinpharaohws2_32.dllwsdl-eventwsm-serverwssauthsvcwv-csp-smsx-bone-apix-bone-ctlx2-controlxmlblasterxn-controlxserveraidxsum: 0x%xxw-controlxyplex-muxzephyr-cltzephyr-srvzieto-sockzigbee-ips of size (targetpc= , plugin: KiB work, exp.) for freeindex= gcwaiting= idleprocs= in status mallocing= ms clock, nBSSRoots= p->status= s.nelems= schedtick= span.list= timerslen=%d.%d.%d.%d, elemsize=, npages = , truncated.WithCancel/dev/stderr/dev/stdout/forwarder//index.html305175781253m-image-lm4-tieropmgw802-11-iapp: frame.sp=;; opcode: AES-128-CBCAES-192-CBCAES-256-CBCARPTrailersAS SequenceAUTHORITY: AltChecksumAlteon 180eBLAKE2b-256BLAKE2b-384BLAKE2b-512BLAKE2s-256BackupWriteBad GatewayBad RequestBootFileURLBootRequestCallback-IdClassHESIODCloseHandleCoGetObjectCodePaddingCopiedBytesCreateFileWCtrlWrapperDMS RequestData SourceDataMissingDataQOSDataDataQOSNullDatagramMTUDeleteFileWDives_AkuruDomain NameDupAckCountEAP-MessageEFI ItaniumENABLE_PUSHEND_HEADERSESTABLISHEDEarly HintsEchoRequestEgressRouteElapsedTimeEndSequenceEnergy WiseEnumWindowsEthernetCTPExitProcessFMS RequestFRAME-RELAYFlow SampleFrame RelayFramed-PoolFreeLibraryFull DuplexGOTRACEBACKGeolocationGetFileTypeHTTPS_PROXYHasHopLimitHostUnknownIPv6RoutingIdeographicIn-Reply-ToInfoRequestInstCaptureInstRuneAnyIntel x86PCInterfaceIDInvalidArgsInvalidatedKerberosKDCLQStartTimeLeave GroupLinkAddressLoST ServerMAC AddressMCSIndex#%dMPLSUnicastMarshalJSONMarshalTextMaxDHCPSizeMeasureTimeMedefaidrinMessageBoxWMessageTypeMobilitySrvMoveFileExWNAS-Port-IdNDS ContextNDS ServersNNTP ServerNTP ServersName ServerNandinagariNative VLANNetShareAddNetShareDelNew_Tai_LueOPTera 8003Old_PersianOld_SogdianOpenProcessOutstandingPTI ControlPacketsSentPau_Cin_HauProxy-StateQoS Map SetRapidCommitRcvBufStateRcvWndScaleReconfigureRegCloseKeyRetransmitsReturn-PathS64PrioritySCTPInitAckSET_ADDRESSSET_FEATURESHA-512/224SHA-512/256SIP ServersSMTP ServerSNTPServersSerial LineSet the MTUSetFileTimeShutdownAckSignWritingSndBufStateSndWndScaleSoft_DottedSolicitAddrStaticRouteStatus CodeSubnet MaskSwap ServerSwitch NodeSystem NameTCPRTTStateTFS RequestTPC RequestTTLExceededTime OffsetTime ServerTunnel-TypeUNKNOWN(%d)USERPROFILEUnknown DIDUnknown(%d)UnspecifiedVendorClassVirtualFreeVirtualLockWSARecvFromWarang_CitiWhite_SpaceWindowScaleWriteClosedWriteErrorsXFontServer[:^xdigit:]
Source: wsl-gvproxy.exe	Binary or memory string: /go/pkg/mod/github.com/containers/gvisor-tap-vsock@v0.4.1-0.20221117045408-8fa817ade332/pkg/virtualnetwork/qemu.go
Source: wsl-gvproxy.exe	Binary or memory string: github.com/containers/gvisor-tap-vsock/pkg/virtualnetwork.(*VirtualNetwork).AcceptQemu
Source: wsl-gvproxy.exe	Binary or memory string: AcceptQemu
Source: wsl-gvproxy.exe	Binary or memory string: github.com/containers/gvisor-tap-vsock/pkg/tap.(*qemuProtocol).Buf
Source: wsl-gvproxy.exe	Binary or memory string: *tap.qemuProtocol
Source: wsl-gvproxy.exe	Binary or memory string: 9qemuu
Source: wsl-gvproxy.exe	Binary or memory string: github.com/containers/gvisor-tap-vsock/pkg/tap.(*qemuProtocol).Read
Source: wsl-gvproxy.exe	Binary or memory string: @ %v MB, and cnt= max= ms, ptr tab= top=%.1f %d %d%s*%d%s-%d%s/%d%s/%s%s:%d%s:%s%s=%s%s=%x%v:%v%v%s"'&(end)+0330+0430+0530+0545+0630+0845+1030+1245+1345, fp:-0930.avif.html.jpeg.json.wasm.webp/dhcp156252ping3exmp3l-l13link4talk78125:path<nil>AFSDBATM 2ATM 3AbortAdlamAlertAprilBOUNDBamumBatakBuhidCCNewCLASSCNAMECSYNCCauseChaosClassCubicDHCIDDNAMEDebugDograDot11Dot1QE.163EAPOLECDSAED448ERROREUI48EUI64ErrorFRAG,FatalFirstFlagsFoundGFSK,Ghz2,Ghz5,GreekH.248H.323HINFOHTTPSHelloHook(IA_NAIA_TAISPKIKhmerLatinLimbuLocalMAILAMAILBMAPOSMINFOMarchNAPTRNICIDNINFONSEC3NoACKNoiseNushuOFDM,OFFEROfferOghamOriyaOsageOtherOwnerP-224P-256P-384P-521PFLogPPPoEPRACKPrismQUERYQueryQuietREFERRRSIGRangeRealmRenewReordReplyRulesRunicS46BRSFlowSHA-1SIMCOSSHFPSTermStartStateTSEcrTSValTakriTamilTypeAU-PIDUINFOVXLAN\u202] = (a1-bsaboutaccelackedacnetacpltacteradrepads-caesopafrogagcatagslbaisesalarmalfinaliasallowalpesaltcpamqpsaol-1aol-2aol-3apdapapocdarcpdarrayasdisasmpsauditaurisavianayiyaazetiaztecbabelbbarsbeorlbh611bhfhsbhmdsbinkpblazebmdssbonesbpdbmbrainbrucebv-dsbv-isbytexcamaccandpcawasccmadcft-0cft-1cft-2cft-3cft-4cft-5cft-6cft-7chunkclockclosecnhrpcoapscosircountcoviacpdlccppdpcsms2csrpccubiccvmoncvsupd-s-ndbasedbrefdebugdecapdeferdelaydemuxdicomdixiedmididns: dnsixdomiqdrwcsdsatpdsfgwe-mdue-nete-woaeapspecommeenetelcsdemwinepmaperroretb4jetftpeventewallewdgseyetvfalsefamdcfaultfemisff-smflagsflcrsfloatfmsasfodmsfoundfpitpftsrvg2taggFreegcinggenieghvpnginadglobeglrpcgolemgraspgrcmpgrubdgscangtauagv-pfgv-ushchanhelixhellohivephpiodhpssdhttpshttpxhuskyhydaphydraiRAPPiclidicmpdiconpicppsicpv2identigridimap2imap3imapsiminkimprsinedoinit insisint16int32int64ipassipcd3ipfixirdmiirisais99cis99siscsiitachitalkitosejoostjsteljt400kazaakdnetkioskkitimldapsleoiplevellightllmnrloginlutaplutcplv-jcm-wnnmailqmanetmatchmc3ssmcftpmcntpmeta5metermheapmikeymimermmcalmmpftmollymonthms-lamsfrsmsimsmsyncmumpsmuninmysqlnacnlncu-1ncu-2ncxcpndmpsneo4jneod1neod2netcpnetehnetgwnetiqnetmlnfapingr-tnicIDnimshninafnntpsnomadnomdbnppmpnq-apnsrmpnsstpntalkntohsnusrpnuxslnxlmdobrpdoc-lmodnspoidsromsdkonmuxorionosautosdcpotherovbusovobsovsdbovwdbownerpacompanicparsepcoippdnetperfdpipesplatopointpop3sppsmspressprsvppwdisq3adeqencpqmtpsqotpsqsoftquakequbesquosaqwaveradioradixrangerazorrdlapre101rebolredisreplyrfilerimslripngrmlnkrnmaprobixrootdrsf-1rsmtprsyncrtspsrune rushdrxapirxmons-bfds-netsaismsapv1sarissbcapsbookscav schedscscpsdmmpsenipsf-lmsflowsg-lmsgcipsgsapshellshilpsicctsievesimcosimonsleepsliceslmapslsccslushsmilesmptesmsqpsmwansnapdsnappsnaresockssolvesonarsonusspicespikespockspocpsruthss7nssscanssdtpsse41sse42ssmppssripssse3stackstarsstatestatsstdiostunssudogsuucpsvdrpsvnetswa-1swa-2swa-3swa-4swarmswdtpsweepswrmitbrpftempotexaitexartext/tftpsthrtxtigv2timedtotaltracetracktripetrofftsilbtupletvbustwcsstwrpcuadtcuarpsudp: uint8unifyuniteupdogus-gvusageutf-8utimevaluevchatvemmivenusvm-ipvmnetvmrdpvmsvcvnetdvracevslmpvstatvtsasvxlanweavewebsmwellowillywindbwinfswinrmwired
Source: wsl-gvproxy.exe	Binary or memory string: go.itab.*github.com/containers/gvisor-tap-vsock/pkg/tap.qemuProtocol,github.com/containers/gvisor-tap-vsock/pkg/tap.protocol
Source: wsl-gvproxy.exe, 00000000.00000002.265475175.000001754C504000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: wsl-gvproxy.exe, 00000001.00000002.274139731.000001AD21698000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllpp
Source: wsl-gvproxy.exe, 00000002.00000002.289781729.000001760B579000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlloo

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	2 Command and Scripting Interpreter	Path Interception	1 Process Injection	1 Software Packing	OS Credential Dumping	1 System Time Discovery	Remote Services	Data from Local System	Exfiltration Over Other Network Medium	Data Obfuscation	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Process Injection	LSASS Memory	1 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	1 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Download Video

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
wsl-gvproxy.exe	3%	ReversingLabs
wsl-gvproxy.exe	1%	Virustotal		Browse

Domains and IPs

General Information

Joe Sandbox Version:	36.0.0 Rainbow Opal
Analysis ID:	781501
Start date and time:	2023-01-10 14:45:41 +01:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 6m 14s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	wsl-gvproxy.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Run name:	Cmdline fuzzy
Number of analysed new started processes analysed:	14
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	CLEAN
Classification:	clean2.winEXE@3/0@0/0
EGA Information:	Failed
HDC Information:	Successful, ratio: 100% (good quality ratio 100%) Quality average: 75.8% Quality standard deviation: 24.4%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, SgrmBroker.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): fs.microsoft.com
Execution Graph export aborted for target wsl-gvproxy.exe, PID 4536 because there are no executed function
Not all processes where analyzed, report is missing behavior information

Joe Sandbox View / Context

Instruction
jmp 00007F696CC80E80h
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
pushfd
cld
dec eax
sub esp, 000000E0h
dec eax
mov dword ptr [esp], edi
dec eax
mov dword ptr [esp+08h], esi
dec eax
mov dword ptr [esp+10h], ebp
dec eax
mov dword ptr [esp+18h], ebx
dec esp
mov dword ptr [esp+20h], esp
dec esp
mov dword ptr [esp+28h], ebp
dec esp
mov dword ptr [esp+30h], esi
dec esp
mov dword ptr [esp+38h], edi
movups dqword ptr [esp+40h], xmm6
movups dqword ptr [esp+50h], xmm7
inc esp
movups dqword ptr [esp+60h], xmm0
inc esp
movups dqword ptr [esp+70h], xmm1
inc esp
movups dqword ptr [esp+00000080h], xmm2
inc esp
movups dqword ptr [esp+00000090h], xmm3
inc esp
movups dqword ptr [esp+000000A0h], xmm4
inc esp
movups dqword ptr [esp+000000B0h], xmm5
inc esp
movups dqword ptr [esp+000000C0h], xmm6
inc esp
movups dqword ptr [esp+000000D0h], xmm7
dec eax
sub esp, 30h
dec ecx
mov edi, eax
dec eax
mov edx, dword ptr [00000028h]
dec eax
cmp edx, 00000000h
jne 00007F696CC84B2Eh
dec eax
mov eax, 00000000h
jmp 00007F696CC84BA5h
dec eax
mov edx, dword ptr [edx+00000000h]
dec eax
cmp edx, 00000000h

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x1237000	0x47c	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x1238000	0x1a672	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x7a8720	0x140	.data
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x367378	0x367400	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x369000	0x43eaf0	0x43ec00	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x7a8000	0x7d51e0	0x3e200	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
/4	0xf7e000	0x127	0x200	False	0.6171875	data	5.097874074212899	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/19	0xf7f000	0x91b87	0x91c00	False	0.9986632986706689	data	7.997026581242689	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/32	0x1011000	0x1eda2	0x1ee00	False	0.9926382211538461	data	7.9398790238695165	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/46	0x1030000	0x2a	0x200	False	0.091796875	data	0.7372102088396265	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/65	0x1031000	0x12a7bc	0x12a800	False	0.9985654182370184	data	7.998514343936583	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/78	0x115c000	0xad075	0xad200	False	0.9889807084837545	data	7.995827112152604	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/90	0x120a000	0x2c3c3	0x2c400	False	0.9726617673022598	data	7.805660215103653	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.idata	0x1237000	0x47c	0x600	False	0.3333333333333333	data	3.676383301892774	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.reloc	0x1238000	0x1a672	0x1a800	False	0.1812168337264151	data	5.452686676824189	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.symtab	0x1253000	0xc06d8	0xc0800	False	0.1761109983766234	data	5.441444102535306	IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

DLL	Import
kernel32.dll	WriteFile, WriteConsoleW, WaitForMultipleObjects, WaitForSingleObject, VirtualQuery, VirtualFree, VirtualAlloc, SwitchToThread, SuspendThread, SetWaitableTimer, SetUnhandledExceptionFilter, SetProcessPriorityBoost, SetEvent, SetErrorMode, SetConsoleCtrlHandler, ResumeThread, PostQueuedCompletionStatus, LoadLibraryA, LoadLibraryW, SetThreadContext, GetThreadContext, GetSystemInfo, GetSystemDirectoryA, GetStdHandle, GetQueuedCompletionStatusEx, GetProcessAffinityMask, GetProcAddress, GetEnvironmentStringsW, GetConsoleMode, FreeEnvironmentStringsW, ExitProcess, DuplicateHandle, CreateWaitableTimerExW, CreateThread, CreateIoCompletionPort, CreateFileA, CreateEventA, CloseHandle, AddVectoredExceptionHandler

WriteFile, WriteConsoleW, WaitForMultipleObjects, WaitForSingleObject, VirtualQuery, VirtualFree, VirtualAlloc, SwitchToThread, SuspendThread, SetWaitableTimer, SetUnhandledExceptionFilter, SetProcessPriorityBoost, SetEvent, SetErrorMode, SetConsoleCtrlHandler, ResumeThread, PostQueuedCompletionStatus, LoadLibraryA, LoadLibraryW, SetThreadContext, GetThreadContext, GetSystemInfo, GetSystemDirectoryA, GetStdHandle, GetQueuedCompletionStatusEx, GetProcessAffinityMask, GetProcAddress, GetEnvironmentStringsW, GetConsoleMode, FreeEnvironmentStringsW, ExitProcess, DuplicateHandle, CreateWaitableTimerExW, CreateThread, CreateIoCompletionPort, CreateFileA, CreateEventA, CloseHandle, AddVectoredExceptionHandler

• wsl-gvproxy.exe
• wsl-gvproxy.exe
• wsl-gvproxy.exe

Click to jump to process

Click to jump to process

Behavior

• wsl-gvproxy.exe
• wsl-gvproxy.exe
• wsl-gvproxy.exe

Click to jump to process

Target ID:	0
Start time:	14:46:36
Start date:	10/01/2023
Path:	C:\Users\user\Desktop\wsl-gvproxy.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\wsl-gvproxy.exe" -install
Imagebase:	0xd10000
File size:	12012032 bytes
MD5 hash:	0F9947DDAB6BF8D7A6B350EC8395985E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Show Windows behavior

Target ID:	1
Start time:	14:46:40
Start date:	10/01/2023
Path:	C:\Users\user\Desktop\wsl-gvproxy.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\wsl-gvproxy.exe" /install
Imagebase:	0xd10000
File size:	12012032 bytes
MD5 hash:	0F9947DDAB6BF8D7A6B350EC8395985E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Show Windows behavior

Target ID:	2
Start time:	14:46:45
Start date:	10/01/2023
Path:	C:\Users\user\Desktop\wsl-gvproxy.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\wsl-gvproxy.exe" /load
Imagebase:	0xd10000
File size:	12012032 bytes
MD5 hash:	0F9947DDAB6BF8D7A6B350EC8395985E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Show Windows behavior

File type:	PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
Entropy (8bit):	6.8198074684398335
TrID:	Win64 Executable (generic) (12005/4) 74.95% Generic Win/DOS Executable (2004/3) 12.51% DOS Executable Generic (2002/1) 12.50% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.04%
File name:	wsl-gvproxy.exe
File size:	12012032
MD5:	0f9947ddab6bf8d7a6b350ec8395985e
SHA1:	9548a4ec9b2aa36c1c37637137f6abddb57fd111
SHA256:	e9ca88be09c6d5abdafd569f470bce9a1bf15753566a05fe070f54c8240c12c5
SHA512:	428bf2fea13548c0e042c2cc7dde3bfc2ee38142204f9498f8cb675321cce939e49170c8411a20d48006c2182873cba6588b08632caa5ddc2c61f31b241046b0
SSDEEP:	98304:indCyJd00B5ZxGxEeeIspHl76aBCwfjdziAz8aJhEJYl4l2jQ0Rsf4m/eC:i5JdZlzFnImj0W8ElRCn
TLSH:	EDC67B47F85445E4CAE9C230C9A542627B717C894B207BC73B10BB793AB7BD46B7A390
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d........B...0...."......t6.........@D........@..............................@1...........`... ............................

Entrypoint:	0x464440
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, DEBUG_STRIPPED
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x0 [Thu Jan 1 00:00:00 1970 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	1
File Version Major:	6
File Version Minor:	1
Subsystem Version Major:	6
Subsystem Version Minor:	1
Import Hash:	9cbefe68f395e67356e2a5d8d1b285c0

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre


Icon Hash:	00828e8e8686b000

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report wsl-gvproxy.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

Compliance

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Imports

Network Behavior

Statistics

CPU Usage

Memory Usage

Behavior

System Behavior

Analysis Process: wsl-gvproxy.exePID: 4536, Parent PID: 3452

General

File Activities

File Opened

File Written

File Attributes Queried

Volume Information Queried

Device IO

Section Activities

Sections loaded by Windows

Sections loaded by Program

Registry Activities

Key Opened

Key Value Queried

Key Monitored

Key Value Enumerated

Windows Analysis Report
wsl-gvproxy.exe